Showing and logging off VPN sessions via the ASA CLI

You could add this to my ‘Commands I always forget’ post, but since I’m going to turn this into a little bit of a walk through I decided to make it into it’s own post. Most admins use two commands to verify IPSec VPN security associations. Those, of course, are…

ASA# show crypto isakmp sa

and

ASA# show crypto ipsec sa

Both of these commands provide you with a wealth of information about the IPSec connection. However, what about if you start talking about SSL VPN sessions? Or WebVPN sessions? Since these technically aren’t IPSec connections, they don’t show up in the ‘show crpypto’ commands. Below I’ll walk through a couple of commands which show you some more information about all types of VPN connections.

How to log off current WebVPN Sessions ASA# vpn-sessiondb logoff name langemakj Do you want to logoff the VPN session(s)? [confirm] INFO: Number of sessions with name "langemakj" logged off : 1 Notes: What’s interesting about the log off procedure is that its done by tunnel group or username. Note in this instance, I don’t even have to note that it’s a WebVPN session that I want to log off. Conversely, if I wanted to log off all of the WebVPN sessions I could just input ‘vpn-sessiondb logoff webvpn’ which would log off all users connected to WebVPN.

Wrap up So now that we have an idea of how it works with WebVPN connections, let’s use the trusty ‘?’ to see what else we can do with the ‘vpn-sessiondb’.

As you can see, you can use the vpn-sessiondb command to look at each type of VPN connection. While I usually still use the ‘show crypto’ commands for IPSec connections, you HAVE to use the vpn-sessiondb for AnyConnect and WebVPN. Play around with it, remember, the ‘?’ is your best friend!